[Bro] Speed up bro execution

mike anastasakis anastasakis62 at gmail.com
Fri Apr 21 03:32:36 PDT 2017


I am handling rather big pcap files in the size of 500gb and bro execution
takes a few hours to complete. For this reason I am looking for ways to
speed up the execution.

I want to keep only specific logs files with the goal of making my bro
execution faster. For my research I want to keep the following files:  *
conn.log, ssl.log, x509.log, dns.log, http.log*
>From what I understood this command should do the trick: *bro -r
<pcap_file_name> -b base/protocols/ssl base/protocols/dns
base/protocols/conn base/protocols/http*
However, with the addition of base/protocol/ssl I also get the tunnel.log
and files.log which I do not need. Is there a way to exclude these files
from logging?

Moreover, I have a rather powerful machines with 8 cores and 8gb of RAM
does anyone know a way to fully utilize that when using bro?

Thanks all,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170421/995541b2/attachment.html 

More information about the Bro mailing list